bisecting cause commit starting from a0d54b4f5b219fb31f0776e9f53aa137e78ae431 building syzkaller on 2c1f2513486f21d26b1942ce77ffc782677fbf4e testing commit a0d54b4f5b219fb31f0776e9f53aa137e78ae431 with gcc (GCC) 8.1.0 kernel signature: 6395a8ceef11108c3478f880ad7d379cd37cb01dd3ce72a956a7a3aba6a23218 all runs: crashed: BUG: unable to handle kernel paging request in lzo_uncompress testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 8.1.0 kernel signature: a6dcebde7ec3618aa6b1fe94dc202f1265d8ed6df359cfa261b0e83cf088f6fb all runs: crashed: BUG: unable to handle kernel paging request in lzo_uncompress testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 8.1.0 kernel signature: ef97f4b1c9aadc15d5d08194614df265ffa6b70460375c3b183f83c91cae6b82 all runs: crashed: BUG: unable to handle kernel paging request in lzo_uncompress testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0 kernel signature: a74e1692b6504a79aa8abf61db7944106c8cda6b6a7d32fde10813c5858dae31 all runs: crashed: BUG: unable to handle kernel paging request in lzo_uncompress testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: b57688bead98a8f853deec5f97bfa4fb6d06b2736a38550270b5672ec0be529d all runs: OK # git bisect start bcf876870b95592b52519ed4aafcf9d95999bc9c 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 8752 revisions left to test after this (roughly 13 steps) [694b5a5d313f3997764b67d52bab66ec7e59e714] Merge tag 'arm-soc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 694b5a5d313f3997764b67d52bab66ec7e59e714 with gcc (GCC) 8.1.0 kernel signature: df92dac0a7465b647bf6bc10358b3756919d838734d6ec1c229522b6e1c77c79 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 694b5a5d313f3997764b67d52bab66ec7e59e714 Bisecting: 4417 revisions left to test after this (roughly 12 steps) [2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63] Merge branch 'uaccess.comedi' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 with gcc (GCC) 8.1.0 kernel signature: 4ab7d7822be463091ed6c6288ed689ac413d23b2c25d07d6b10b35fc76586786 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 2e63f6ce7ed2c4ff83ba30ad9ccad422289a6c63 Bisecting: 2658 revisions left to test after this (roughly 11 steps) [cfa3b8068b09f25037146bfd5eed041b78878bee] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit cfa3b8068b09f25037146bfd5eed041b78878bee with gcc (GCC) 8.1.0 kernel signature: e7a6231cda25b5e518699403b6994a088e992179e6bc9747697ba77456022f7a all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad cfa3b8068b09f25037146bfd5eed041b78878bee Bisecting: 885 revisions left to test after this (roughly 10 steps) [17e0a7cb6a254c6d086562e7adf8b7ac24d267f3] Merge tag 'x86-cleanups-2020-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 17e0a7cb6a254c6d086562e7adf8b7ac24d267f3 with gcc (GCC) 8.1.0 kernel signature: 8438f8a129b661c0aa2c07585ae117d01cb66b367ded9945c5e70315344779bb all runs: OK # git bisect good 17e0a7cb6a254c6d086562e7adf8b7ac24d267f3 Bisecting: 458 revisions left to test after this (roughly 9 steps) [17839856fd588f4ab6b789f482ed3ffd7c403e1f] gup: document and work around "COW can break either way" issue testing commit 17839856fd588f4ab6b789f482ed3ffd7c403e1f with gcc (GCC) 8.1.0 kernel signature: 515c8352a8803f4b6c8d256c088763c0d9f45bc2ee3bfbc8e7f876f29538d8dc all runs: OK # git bisect good 17839856fd588f4ab6b789f482ed3ffd7c403e1f Bisecting: 200 revisions left to test after this (roughly 8 steps) [c5d6c13843880ad0112f0513f3eb041b258be66e] Merge tag 'mmc-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc testing commit c5d6c13843880ad0112f0513f3eb041b258be66e with gcc (GCC) 8.1.0 kernel signature: da227d5fb934cbf03aa78173461d5a43fa4db469d94ed20abc38b4ae2ac7a9ad all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad c5d6c13843880ad0112f0513f3eb041b258be66e Bisecting: 128 revisions left to test after this (roughly 7 steps) [94709049fb8442fb2f7b91fbec3c2897a75e18df] Merge branch 'akpm' (patches from Andrew) testing commit 94709049fb8442fb2f7b91fbec3c2897a75e18df with gcc (GCC) 8.1.0 kernel signature: 4eb1e34bc7f29bc8899bf5c11bf639d789f998a0b0471d3b72e94ab9e5b57309 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 94709049fb8442fb2f7b91fbec3c2897a75e18df Bisecting: 64 revisions left to test after this (roughly 6 steps) [08d3090fc8dadd7b726dbda99d1baa39382c3f2c] mm/swapfile.c: simplify the calculation of n_goal testing commit 08d3090fc8dadd7b726dbda99d1baa39382c3f2c with gcc (GCC) 8.1.0 kernel signature: 3acddcf398bf6994d0ce4978b303d85cf394dbe0df6a3e9736c445d64efbac8e all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 08d3090fc8dadd7b726dbda99d1baa39382c3f2c Bisecting: 31 revisions left to test after this (roughly 5 steps) [0615090c5044cbf3bd64bfc2c3c968eaf61ab2fd] erofs: convert compressed files from readpages to readahead testing commit 0615090c5044cbf3bd64bfc2c3c968eaf61ab2fd with gcc (GCC) 8.1.0 kernel signature: 806428820cfbcd13242304434aef4b762644ee9b1f3af3f447a084c21c53bcb5 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 0615090c5044cbf3bd64bfc2c3c968eaf61ab2fd Bisecting: 15 revisions left to test after this (roughly 4 steps) [a1ef8566525c78a9eca52e1ff91404f4595b85eb] mm: ignore return value of ->readpages testing commit a1ef8566525c78a9eca52e1ff91404f4595b85eb with gcc (GCC) 8.1.0 kernel signature: 02382bbb7ec82c4d1e06a01d6946ed14dfa2d143718cb2784c32aec31dd972af run #0: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #1: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #2: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #3: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #4: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #5: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #6: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #7: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #8: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress run #9: crashed: BUG: unable to handle kernel paging request in lzo_uncompress # git bisect bad a1ef8566525c78a9eca52e1ff91404f4595b85eb Bisecting: 7 revisions left to test after this (roughly 3 steps) [52f23478081ae0dcdb95d1650ea1e7d52d586829] mm/slub.c: fix corrupted freechain in deactivate_slab() testing commit 52f23478081ae0dcdb95d1650ea1e7d52d586829 with gcc (GCC) 8.1.0 kernel signature: 02167c69434d46399ce07a6d52060bc0cc6b9fbd265cb4e4d940a13c0c2e6dce all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 52f23478081ae0dcdb95d1650ea1e7d52d586829 Bisecting: 3 revisions left to test after this (roughly 2 steps) [78128fabd022240852859c0b253972147593690b] arch/parisc/include/asm/pgtable.h: remove unused `old_pte' testing commit 78128fabd022240852859c0b253972147593690b with gcc (GCC) 8.1.0 kernel signature: ff227acfabbf8b10b40dcb9943215fb0fd4ace5a31e759992b1584dc6d94d559 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 78128fabd022240852859c0b253972147593690b Bisecting: 1 revision left to test after this (roughly 1 step) [8f745e62a1926e57a671b0841241b60e80903dda] ocfs2: add missing annotation for dlm_empty_lockres() testing commit 8f745e62a1926e57a671b0841241b60e80903dda with gcc (GCC) 8.1.0 kernel signature: 54968598a2531daedb05a53804d934546f869944d065af0529aac664048e4fba all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 8f745e62a1926e57a671b0841241b60e80903dda Bisecting: 0 revisions left to test after this (roughly 0 steps) [93e72b3c612adcaca13d874fcc86c53e6c8da541] squashfs: migrate from ll_rw_block usage to BIO testing commit 93e72b3c612adcaca13d874fcc86c53e6c8da541 with gcc (GCC) 8.1.0 kernel signature: 14eb3190824e6a1604baa3aaa425a8b2a878d67de81bc4aba8f1eac9b6b76090 all runs: crashed: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress # git bisect bad 93e72b3c612adcaca13d874fcc86c53e6c8da541 93e72b3c612adcaca13d874fcc86c53e6c8da541 is the first bad commit commit 93e72b3c612adcaca13d874fcc86c53e6c8da541 Author: Philippe Liard Date: Mon Jun 1 21:45:23 2020 -0700 squashfs: migrate from ll_rw_block usage to BIO ll_rw_block() function has been deprecated in favor of BIO which appears to come with large performance improvements. This patch decreases boot time by close to 40% when using squashfs for the root file-system. This is observed at least in the context of starting an Android VM on Chrome OS using crosvm. The patch was tested on 4.19 as well as master. This patch is largely based on Adrien Schildknecht's patch that was originally sent as https://lkml.org/lkml/2017/9/22/814 though with some significant changes and simplifications while also taking Phillip Lougher's feedback into account, around preserving support for FILE_CACHE in particular. [akpm@linux-foundation.org: fix build error reported by Randy] Link: http://lkml.kernel.org/r/319997c2-5fc8-f889-2ea3-d913308a7c1f@infradead.org Signed-off-by: Philippe Liard Signed-off-by: Andrew Morton Reviewed-by: Christoph Hellwig Cc: Adrien Schildknecht Cc: Phillip Lougher Cc: Guenter Roeck Cc: Daniel Rosenberg Link: https://chromium.googlesource.com/chromiumos/platform/crosvm Link: http://lkml.kernel.org/r/20191106074238.186023-1-pliard@google.com Signed-off-by: Linus Torvalds fs/squashfs/block.c | 273 +++++++++++++++++--------------- fs/squashfs/decompressor.h | 5 +- fs/squashfs/decompressor_multi.c | 9 +- fs/squashfs/decompressor_multi_percpu.c | 17 +- fs/squashfs/decompressor_single.c | 9 +- fs/squashfs/lz4_wrapper.c | 17 +- fs/squashfs/lzo_wrapper.c | 17 +- fs/squashfs/squashfs.h | 4 +- fs/squashfs/xz_wrapper.c | 51 +++--- fs/squashfs/zlib_wrapper.c | 63 ++++---- fs/squashfs/zstd_wrapper.c | 64 ++++---- 11 files changed, 287 insertions(+), 242 deletions(-) parent commit 9bf9511e3d9f328c03f6f79bfb741c3d18f2f2c0 wasn't tested testing commit 9bf9511e3d9f328c03f6f79bfb741c3d18f2f2c0 with gcc (GCC) 8.1.0 kernel signature: 167f7225b7f3e6b825a5419cecebb481d21b02f51d4820865c0b6acb0493541d culprit signature: 14eb3190824e6a1604baa3aaa425a8b2a878d67de81bc4aba8f1eac9b6b76090 parent signature: 167f7225b7f3e6b825a5419cecebb481d21b02f51d4820865c0b6acb0493541d revisions tested: 19, total time: 3h8m57.082423277s (build: 1h51m31.974458268s, test: 1h15m30.886999492s) first bad commit: 93e72b3c612adcaca13d874fcc86c53e6c8da541 squashfs: migrate from ll_rw_block usage to BIO recipients (to): ["akpm@linux-foundation.org" "hch@lst.de" "pliard@google.com" "torvalds@linux-foundation.org"] recipients (cc): [] crash: KASAN: vmalloc-out-of-bounds Write in lzo_uncompress ================================================================== BUG: KASAN: vmalloc-out-of-bounds in memcpy include/linux/string.h:381 [inline] BUG: KASAN: vmalloc-out-of-bounds in lzo_uncompress+0x350/0x520 fs/squashfs/lzo_wrapper.c:80 Write of size 4096 at addr ffffc90000f63e75 by task syz-executor.1/10120 CPU: 1 PID: 10120 Comm: syz-executor.1 Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x96/0xe0 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x56/0x41e mm/kasan/report.c:382 __kasan_report.cold.11+0x20/0x38 mm/kasan/report.c:511 kasan_report+0x32/0x50 mm/kasan/common.c:625 check_memory_region_inline mm/kasan/generic.c:186 [inline] check_memory_region+0x1c1/0x1e0 mm/kasan/generic.c:192 memcpy+0x38/0x60 mm/kasan/common.c:107 memcpy include/linux/string.h:381 [inline] lzo_uncompress+0x350/0x520 fs/squashfs/lzo_wrapper.c:80 squashfs_decompress+0xce/0x1b0 fs/squashfs/decompressor_single.c:70 squashfs_read_data+0x194/0xd4e fs/squashfs/block.c:210 squashfs_cache_get+0x44e/0xe10 fs/squashfs/cache.c:110 squashfs_read_metadata+0xe1/0x3f0 fs/squashfs/cache.c:344 squashfs_read_inode+0x1b6/0x1d10 fs/squashfs/inode.c:115 squashfs_fill_super+0xe91/0x2101 fs/squashfs/super.c:310 get_tree_bdev+0x3ce/0x650 fs/super.c:1342 vfs_get_tree+0x7e/0x330 fs/super.c:1547 do_new_mount fs/namespace.c:2816 [inline] do_mount+0x102d/0x1750 fs/namespace.c:3141 __do_sys_mount fs/namespace.c:3350 [inline] __se_sys_mount fs/namespace.c:3327 [inline] __x64_sys_mount+0x15d/0x1b0 fs/namespace.c:3327 do_syscall_64+0x8e/0x4f0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x460c6a Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 ad 89 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 8a 89 fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:00007ffb4f587a78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ffb4f587b10 RCX: 0000000000460c6a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffb4f587ad0 RBP: 00007ffb4f587ad0 R08: 00007ffb4f587b10 R09: 0000000020000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000020000000 R13: 0000000020000100 R14: 0000000020000040 R15: 0000000020010200 Memory state around the buggy address: ffffc90000f63f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90000f63f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc90000f64000: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ^ ffffc90000f64080: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ffffc90000f64100: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ==================================================================